resolv: Remove RES_INSECURE1, RES_INSECURE2

Always perform the associated security checks.

5 files changed, 25 insertions, 23 deletions

diff --git a/ChangeLog b/ChangeLog
index bc43b72067..6b7f19a1f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
 2019-04-08  Florian Weimer  <fweimer@redhat.com>
 
+	* resolv/resolv.h (RES_INSECURE1, RES_INSECURE2): Remove
+	definitions.
+	* resolv/res_send.c (send_dg): Always perform RES_INSECURE1 and
+	RES_INSECURE2 security checks.
+	* resolv/res_debug.c (p_option): Remove RES_INSECURE1 and
+	RES_INSECURE2 handling.
+
+2019-04-08  Florian Weimer  <fweimer@redhat.com>
+
 	resolv: Remove support for RES_USE_INET6 and the inet6 option.
 	* nscd/aicache.c (addhstaiX): Do not disable RES_USE_INET6.
 	* nscd/nscd_gehst_r.c (__nscd_gethostbyname_r): Always use
diff --git a/NEWS b/NEWS
index 53011b61e1..b58e2469d4 100644
--- a/NEWS
+++ b/NEWS
@@ -38,6 +38,9 @@ Deprecated and removed features, and other changes affecting compatibility:
 * Support for the "inet6" option in /etc/resolv.conf and the RES_USE_INET6
   resolver flag (deprecated in glibc 2.25) have been removed.
 
+* The obsolete RES_INSECURE1 and RES_INSECURE2 option flags for the DNS stub
+  resolver have been removed from <resolv.h>.
+
 Changes to build and runtime requirements:
 
 * GCC 6.2 or later is required to build the GNU C Library.
diff --git a/resolv/res_debug.c b/resolv/res_debug.c
index e4664c1da6..4dac71f3c9 100644
--- a/resolv/res_debug.c
+++ b/resolv/res_debug.c
@@ -604,8 +604,6 @@ p_option(u_long option) {
 	case RES_DEFNAMES:	return "defnam";
 	case RES_STAYOPEN:	return "styopn";
 	case RES_DNSRCH:	return "dnsrch";
-	case RES_INSECURE1:	return "insecure1";
-	case RES_INSECURE2:	return "insecure2";
 	case RES_NOALIASES:	return "noaliases";
 	case RES_ROTATE:	return "rotate";
 	case RES_USE_EDNS0:	return "edns0";
diff --git a/resolv/res_send.c b/resolv/res_send.c
index ca441c4ce1..eeeb8acf27 100644
--- a/resolv/res_send.c
+++ b/resolv/res_send.c
@@ -1316,31 +1316,25 @@ send_dg(res_state statp,
 			 */
 			goto wait;
 		}
-		if (!(statp->options & RES_INSECURE1) &&
-		    !res_ourserver_p(statp, &from)) {
-			/*
-			 * response from wrong server? ignore it.
-			 * XXX - potential security hazard could
-			 *	 be detected here.
-			 */
-			goto wait;
-		}
-		if (!(statp->options & RES_INSECURE2)
-		    && (recvresp1 || !res_queriesmatch(buf, buf + buflen,
+
+		/* Paranoia check.  Due to the connected UDP socket,
+		   the kernel has already filtered invalid addresses
+		   for us.  */
+		if (!res_ourserver_p(statp, &from))
+		  goto wait;
+
+		/* Check for the correct header layout and a matching
+		   question.  */
+		if ((recvresp1 || !res_queriesmatch(buf, buf + buflen,
 						       *thisansp,
 						       *thisansp
 						       + *thisanssizp))
 		    && (recvresp2 || !res_queriesmatch(buf2, buf2 + buflen2,
 						       *thisansp,
 						       *thisansp
-						       + *thisanssizp))) {
-			/*
-			 * response contains wrong query? ignore it.
-			 * XXX - potential security hazard could
-			 *	 be detected here.
-			 */
-			goto wait;
-		}
+						       + *thisanssizp)))
+		  goto wait;
+
 		if (anhp->rcode == SERVFAIL ||
 		    anhp->rcode == NOTIMP ||
 		    anhp->rcode == REFUSED) {
diff --git a/resolv/resolv.h b/resolv/resolv.h
index ad053d9d14..7a8023ae9d 100644
--- a/resolv/resolv.h
+++ b/resolv/resolv.h
@@ -115,8 +115,6 @@ struct res_sym {
 #define RES_DEFNAMES	0x00000080	/* use default domain name */
 #define RES_STAYOPEN	0x00000100	/* Keep TCP socket open */
 #define RES_DNSRCH	0x00000200	/* search up local domain tree */
-#define	RES_INSECURE1	0x00000400	/* type 1 security disabled */
-#define	RES_INSECURE2	0x00000800	/* type 2 security disabled */
 #define	RES_NOALIASES	0x00001000	/* shuts off HOSTALIASES feature */
 #define RES_ROTATE	0x00004000	/* rotate ns list after each query */
 #define	RES_NOCHECKNAME \